tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: cgd (encrypted disk) support in bootblocks (Was: summer of code - scrub feature)

David Brownlee wrote:
Collectively this sounds more like two projects to me, though the
latter could suffice for both cases, for a first stab at it.  The
latter is also less low-level code and more scripting work (and
perhaps crunchgen for space), which may make multiplatform support
less painful.  Mentors' mileage may vary.

    Could you clarify how the latter would work - is the intention
    to allow the system to boot up to a point where the administrator
    can connect in to finish cgd configuration and remount?

    I can see the utility of both, and would be very happy with
    either :)

I've previously been using the sysctl init.chroot to switch from a ram image root to a cgd based root. This allows me to have the cgd parameters physically separated from the computer in question. This solution is not perfect, as it doesn't appear to work on NetBSD/amd64 when booting from an USB memory key (see PR 36963).

In a previous discussion concerning this particular bug, Thor Lancelot Simon expressed some skepticism about the way init.chroot is implemented, so I started thinking about alternative ways to implement "root on cgd".

I've been looking into if it's possible to hard code the cgd parameters in a kernel configuration, and tell the kernel to mount root on a cgd-device. The goal is to be able to have the cgd parameters physically separated from the rest of the system (apart from the parameters in ram). Unfortunately, work has been keeping me too busy to put any real effort into it. I might just as well ask here; would it be possible to boot a kernel, which is hardcoded to use cgd0 as a root, off a USB memory key? Obviously the kernel will need to configure the cgd0 device prior to mounting root, which may be a source of difficulties.

If it's possible, I'd be willing to implement this myself, but it would move along faster if someone would be willing to give me tips if I get stuck. So, would it work? If so, are there any non-GoS mentors available?

This obviously won't help first time installers, so getting cgd-integration in the installer is a separate (and very important, imho) project.

Kind regards,
Jan Danielsson

Attachment: signature.asc
Description: OpenPGP digital signature

Home | Main Index | Thread Index | Old Index